Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Rick Howard, director of security intelligence at iDefense, claimed that press coverage has overhyped the issue of Conficker, and although it is dangerous, the security community has known about this worm since the first variant.
Howard said: "The mitigation recommendations are the same for this fourth variant as they were for the first. Variants of the Conficker worm have been spreading since November of last year and the worm has infected millions of systems, but does not yet have a clear purpose.
"The attacker recently released a major update to Conficker, known as Conficker.C. This variant contains two major new features. First, the domain generation algorithm now creates 50,000 random domains, and attempts to contact 500 of them each day. It is completely impractical for the ‘Conficker Cabal', a group of security researchers, to lock down all 50,000 domains generated each day.
"The attacker will not register all of these domains, but will have a much better chance of successfully registering at least one that infected nodes will contact. Given that Conficker.C nodes will only contact 500 of the domains each day, it is likely that they will not reach the Command and Control (C&C) server on the first day. It will likely be days or weeks before all nodes can be properly updated to the latest version."
Howard claimed that additions to the code include a P2P file sharing ability and a change to the algorithm for the domain names, so the additional functionalities will spread it further and make it harder to track.
"The code has evolved and new functionalities have been added that makes it harder to block, but the reason everyone is concerned is because they don't know what it will do. The attacker probably limited the total domains to contact to avoid generating too much traffic, which could bring attention to the infected computer by security administrators.
"The combination of these two update mechanisms will help solidify the attacker's control over the Conficker network, which the cabal has partially wrestled away. What the attacker does with the network after making updates is unclear. What is clear is that the threat of Conficker is nothing new, and the precautions responsible users and organisations have already deployed will protect them from the latest Conficker.C, despite the updates that will go live on April Fool's Day," said Howard.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.